MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a9887fef34c6b9ca125aaa02e9837585f545c65e8e424296f1f8cd2151bc424. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a9887fef34c6b9ca125aaa02e9837585f545c65e8e424296f1f8cd2151bc424
SHA3-384 hash: bd02452bb8a14777e8f394727a53ced97a47a35eba29f4e6712a6ae493566ddfc6a342830c1589397de38c3f253f7c48
SHA1 hash: 5c43fff010bb4ca755caed2ad98e18c42c410a2a
MD5 hash: 0fc4e10825f4303c7c0bfc6fc3ddd52b
humanhash: twenty-grey-diet-saturn
File name:0fc4e10825f4303c7c0bfc6fc3ddd52b
Download: download sample
File size:15'873'583 bytes
First seen:2022-04-18 19:40:15 UTC
Last seen:2022-04-20 10:24:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 719ea92bb6bb4c5aaa3e4d2e8bbfdde0 (1 x Meterpreter)
ssdeep 393216:cW9CFNeXKyCdhcIOelXgpK925pu+DK1DHunR1ullu:n9Cm6XLwpi23rWk1uD
Threatray 92 similar samples on MalwareBazaar
TLSH T171F6332BFC5040A2E5B111BB46F7E363F43C6AA18B2D80DF46D8135B5B787E216B624D
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e29bcba3bb6993c6 (1 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.17065.7210.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.RansomKD.12694723.11705.20329.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed ransomware wacatac
Link:
https://www.filescan.io/uploads/625dbed0ffe27d511902d2f6/reports/879521f5-8942-4824-a67b-809fa740ac81/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b9442797-3834-40d5-99f6-7913991db196
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/978413
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610900 Sample: ihXDUgnoO1 Startdate: 18/04/2022 Architecture: WINDOWS Score: 48 55 Multi AV Scanner detection for submitted file 2->55 7 ihXDUgnoO1.exe 44 2->7         started        10 ihXDUgnoO1.exe 44 2->10         started        12 ihXDUgnoO1.exe 44 2->12         started        process3 file4 23 C:\Users\user\AppData\Local\...\win32pipe.pyd, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\win32api.pyd, PE32 7->25 dropped 27 C:\Users\user\AppData\...\unicodedata.pyd, PE32 7->27 dropped 35 17 other files (none is malicious) 7->35 dropped 14 ihXDUgnoO1.exe 1 3 7->14         started        37 20 other files (none is malicious) 10->37 dropped 17 ihXDUgnoO1.exe 10->17         started        29 C:\Users\user\AppData\Local\...\win32pipe.pyd, PE32 12->29 dropped 31 C:\Users\user\AppData\Local\...\win32api.pyd, PE32 12->31 dropped 33 C:\Users\user\AppData\...\unicodedata.pyd, PE32 12->33 dropped 39 17 other files (none is malicious) 12->39 dropped 19 ihXDUgnoO1.exe 12->19         started        process5 dnsIp6 41 198.140.158.67 ZIMMER-BUSINESS-SOLUTIONSUS United States 14->41 49 21 other IPs or domains 14->49 21 ihXDUgnoO1.exe 14->21         started        43 112.213.89.123 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 17->43 51 9 other IPs or domains 17->51 45 91.198.174.192 WIKIMEDIAUS Netherlands 19->45 47 74.208.236.60 ONEANDONE-ASBrauerstrasse48DE United States 19->47 53 6 other IPs or domains 19->53 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a9887fef34c6b9ca125aaa02e9837585f545c65e8e424296f1f8cd2151bc424/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-18 19:42:01 UTC
File Type:
PE (Exe)
Extracted files:
440
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
17226015998bc93e20717e039ee9802c9cef1ee754d3925225d99cc521deded4
35118d4ed995388333e3bcd09e9981f1006bf81ab54ab54b4f6be028fde948b2
35fb2d676947d8b7d6dcd9f1890570fb594e9a341cfb9b341c65d615e20ffdaa
3a5b3f312da88cab15be0deb9d043213e23282ad00344f114cc7a5ff81760a43
58cfebd1eed6a2170b36f66f7d7cb0b60e9824cc044eb2b95a746eb8c5b0a857
5988de02b33b85a699c9bf68889973ab8b58a08296fa0ee3eeef4102d6ff84f2
7b343c681a9efcff92023c2eaf0411bb7d70a305e38cf840b37c7ff1bab910cb
83fb12675e7a38ea904629a2749abf54e35b1a5885cec6e4fc058901df97f038
dd32c85ada85ba41410336c45def5be9328ad7c65c5ee0269f8f2b801f9cde2d
fad8e7269ff1944d3ed89b9c96d9f7f5bb89f36b6394439f150367ca5f18ec9e
+ 82 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence pyinstaller
Link:
https://tria.ge/reports/220418-yd3yrsged2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
babac4908787ca7b033e8fa1612e04dea5456bcc97714e732138ddeb3888cd1b
MD5 hash:
ad7dfe789b1256f039406b640acd9c0d
SHA1 hash:
8305b635191f30762cb80cbfc950bc4d087d14da
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
488fb259c0acda09b93cf95f56d51a17cf16fa2d83dd19a4a4b74a528711a8c0
MD5 hash:
1f6a3e2a68eec142bdcc20dc27da7518
SHA1 hash:
fba21b6b0e69232ed71e01b3ef7639691ca8cf2e
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
671ce7c20a9df78c88d0f9932484f0f076b151452ad331ea5d60ee966ca36e12
MD5 hash:
c4479ced36eeaf704bab58b2f8516880
SHA1 hash:
08879f664fa446dbbdc906ff6d2f2bb12423b56c
Detections:
win_electricfish_auto
Create hunting rule
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
fba723235482d2ab5e0b17aba57bebc9bff1b2e7acbdcdbf4be47e0c38875ebe
MD5 hash:
28b94d413e3027e69c05b0c067e04309
SHA1 hash:
13aaa8e8f90423694aeaabbb1e9baa46c3e29175
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
76f1420f2103f15adbec2baa562d525a57822537e560fbb4d2a7547c314e0637
MD5 hash:
06dccc76774160bbc78ef2eda69e9cb7
SHA1 hash:
7c4d1897e4a72fadcba0c76799ffd4e098d09e65
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
e7005a53343604b6198d8c4a3ea711ed7c90f7280c15d6cee714e8ff22110bda
MD5 hash:
445329ac62452841c4e7e0a72d9c1d41
SHA1 hash:
bd031b175bfdd2b01ce0245a7ab08628abdacb4c
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
ae14e8d2ac9adbbb1c1d2a8001a017ba577663322fe7606c22bc0081d2764bc9
MD5 hash:
d0e36d53cbcea2ac559fec2c596f5b06
SHA1 hash:
8abe0c059ef3403d067a49cf8abcb883c7f113ec
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
e30f084efc19d49309070d337cafdb69e18f8df8d1327dce997dc1fa0ab47353
MD5 hash:
6529de7cefcf0481375ecf31ce22dfa2
SHA1 hash:
b6284cb8b888fb9e7b9de5e51d95142ac6e529ae
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
624f9da9650230e81eacc51e9ca7c12bce6814717cccc06dd54bfdbd086e966b
MD5 hash:
2bb988a40a367e8abee994b624342ea3
SHA1 hash:
90a27aea69f88887e5366614fbe4bc38abe48e3d
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
4ee9881a38a9491e1b26a04f11d57625454f723f8b090abd99b049cfe2a8d79f
MD5 hash:
9877440f0a8bfd605301eafa606bbcdb
SHA1 hash:
3cc342d89e87013a338568d84f139285133b8b1e
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
26b4dfa9847f6b02728da9f1b0b3bc125e12230a89c58015e3b4fb6e656a133a
MD5 hash:
ecdc5e843bf7e46069b8748761b562ca
SHA1 hash:
2d9b456c8c3c701f58fa6e50fa151780cede56dc
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
2ecdde967d40afecf65a8692952aab7b13542d087c199c7518811137cae36c6c
MD5 hash:
5b46bdef8f9bb40453b3a305bc05eeb0
SHA1 hash:
275b09d818943e6cf0c9f19aaec544a310f278ce
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
SH256 hash:
4a9887fef34c6b9ca125aaa02e9837585f545c65e8e424296f1f8cd2151bc424
MD5 hash:
0fc4e10825f4303c7c0bfc6fc3ddd52b
SHA1 hash:
5c43fff010bb4ca755caed2ad98e18c42c410a2a
Link:
https://www.unpac.me/results/3e8d70c3-a309-4f6a-a692-1cdbee5c2a50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a9887fef34c6b9ca125aaa02e9837585f545c65e8e424296f1f8cd2151bc424

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4a9887fef34c6b9ca125aaa02e9837585f545c65e8e424296f1f8cd2151bc424

(this sample)

  
Delivery method
Distributed via web download

Comments


Avatar
zbet commented on 2022-04-18 19:40:29 UTC

url : hxxp://74.119.195.68/python18/